Bijk can use two methods for data transport: Pull and Push. In pull method our master server periodically connects to client servers (5 - 10 minutes) whereas in push method client servers periodically connects to our master server. Data transport is secured via OpenSSH because it's simple, secure and available on almost every GNU/Linux OS. Final authentication is done via hash (password) generated on client server during bijk-node package installation.

In both methods master servers are on these IP addresses: 95.168.195.25, 95.168.195.26, 95.168.195.28, 95.168.195.29.

This was the only method in the past. It works by setting up restricted user bijk on client machine with custom login shell /usr/sbin/bijk-login. Your server must have SSH server running (port can be specified when adding new server or on server settings page). Restricted user is set up during bijk-node package installation (our SSH public key is distributed in package).

You can set up firewall rules directly on your server with iptables tool. To see your actual rules run following command:

iptables -vnL

Look for lines with your SSH port (22 by default). If you block your SSH port you probably have allowed only specific IP addresses (lines with ACCEPT keyword) and denied everything else (lines with DROP keyword). In that case you need to add a rule to allow connection from Bijk master servers to your SSH port:

iptables -I INPUT -p tcp -s 95.168.195.26 --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -s 95.168.195.28 --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -s 95.168.195.29 --dport 22 -j ACCEPT

where 22 is the SSH port. If you use some init script to start your firewall you need to update it. Otherwise you need to run command

iptables-save

which will write actual rules to use while booting the system.

By default you will not need to change anything in SSH configuration. If you make some changes be aware that if you are connected to your server via SSH and if the new configuration is wrong you would not be able to connect to your server again. So after every SSH reload check the connection in another console (let the first console connected).

Contiguration of your SSH daemon is in file

/etc/ssh/sshd_config

To apply changes you need to reload your SSH daemon

/etc/init.d/ssh reload

Check the following:

1. Check if the configuration file contains line staring with AllowUsers. If there is such line add user bijk to the end of that line (separate with space).
2. Check if the configuration file contains line staring with AllowGroups. If there is such line add group bijk to the end of that line (separate with space).
3. Check if the configuration file contains line starting with ListenAddress. If there is such line and if there is only :22 or 0.0.0.0:22 behind it's OK. Otherwise you see some IP:port combination (there can be more lines with that option). Make sure primary IP address and port which match configuration of your server on server settings page on Bijk.

Check the file

/etc/hosts.allow

on your server. On most servers it contains only comments (# on the begin of the row), but if there is something else, please see the documentation of that file:

man hosts.allow

This is the new method better suited for users behind NAT or firewall and daemon enables it automatically if there was no pull for 15 minutes. Only requirement is OpenSSH client. On first daemon startup SSH key pair is created under /var/lib/bijk. Then public part is sent to our master server via plain TCP connection to port 50010. This is repeated on every client startup in case of some issue in our server. Every 4 minutes (depends on bijk-node version) daemon spawns SSH to master server to port 22 which then setup local forwarding from 127.0.0.1:50011 on your server to 127.0.0.1:50009 on master server (through SSH tunnel). The period is configurable but minimum period for free users is 4 min. To change period to 1 minute edit (or create) file /etc/bijk/plugins.yml and add the following (NOTE: formatting is important and you can't use tabs):

sender:
  period: 60